A worm in the apple
Download as PPTX, PDF1 like374 views
The document discusses the history and evolution of malware targeting Mac systems, highlighting significant incidents and notable strains like Flashback and Keranger. It covers Apple’s security measures and the misconceptions surrounding Mac security, citing that infections are rare yet still presents a historical catalog of malware from 1982 to 2016. The author, a malware researcher and information security engineer, emphasizes the continuous battle against malware and the importance of awareness.
A worm in the apple
- 1. A Worm in the Apple Exploration of Mac malware Wes Widner @kai5263499 wes@manwe.io
- 2. Introduction Information security engineer by day, malware researcher by night Also father of 4, so nights tend to be pretty short Previous talks have been about malware pipelines in general
- 3. Macs are secure, right?
- 4. Before 2012
- 5. After 2012
- 6. Flashback Actually it started in September 2011 Got its name by offering a Flash upgrade Poor English and other errors gave it away In February 2012 it changed tactics Took advantage of an unpatched Java vulnerability Apple still argues it was Sun’s fault Claimed 600k (~1%) according to Dr Web Generated revenue (~$14k) through click fraud
- 9. Flashback part 2 ~20k infections as recently as 2014 Tracked by Intego sinkhole No big deal In reality Apple spent the rest of the year cleaning up the mess Apple suddenly found themselves playing catch up
- 10. But that was a fluke, right?
- 11. Apple and many experts still don’t recommend using protection Infections are rare Apple is taking care of it
- 12. Perhaps some history will help
- 13. Mac malware history 1982 Prehistory: Elk Cloner 1987 nVIR 1988 HyperCard 1990 MDEF 1991 German folk tunes 1995 Word macro viruses 1996 Laroux – viruses for Excel 1996 AutoStart 9805 and Sevendust
- 14. 2006 Exploit.OSX.Safari, aka OSX.Exploit.Metadata / Leap, aka Oompa Loompa, the first virus for Mac OS X / Inqtana / OSX.Exploit.Launchd / Macarena 2007 RSPlug, aka DNSChanger, aka Jahlav, aka Puper / OpenOffice BadBunny and RSPlug financial malware 2008 MacSweeper, aka Immunizator / AsTHT, aka Hovdy, aka AplS.Saprilt / PokerStealer, aka Corpref / Lamzev, aka Malev / Scareware, backdoors and Jahlav 2009 iServices, aka iWorkServices, aka Krowi / Tored 2010 HellRTS, aka Pinhead, aka Hellraiser / OpinionSpy, aka Premier Opinion, aka Spynion / Koobface, aka Boonana
- 15. 2011 BlackHole RAT, aka MusMinim, aka DarkHole / MacDefender, aka MacSecurity, aka MacProtector, aka MacGuard, aka MacShield, aka Defma / QHost, also HostMod-A / Revir, aka Imuler, aka Muxler / Flashback, aka Flashfake / DevilRobber, aka Miner-D / FinFisher 2012 FileSteal, Hackback, KitM / Tibet, aka MacControl, aka MaControl, aka MacKontrol / Sabpab, aka Sabpub, aka Mdropper, aka Lamadai, aka Olyx / FkCodec/Codec-M / Maljava / GetShell, aka SET.gen, aka ShellCode, aka MetaData, aka TESrel / Crisis, aka Morcut, aka DaVinci / NetWeird, aka Wirenet / Jacksbot / Dockster / SMSSend 2013 Pintsized / CallMe / Minesteal / KitM / Janicab / ClickAgent / Leverage / Icefog 2014 LaoShu / CoinThief / XSLCmd / iWorm / Ventir / WireLurker, aka Machook
- 16. 2015 Lamadai / Kitm / Hackback / LaoShu / Appetite, trojan targeting government organizations / Imuler / Coin Thief / Suspend-resume rootkit 2016 KeRanger, first ransomware / Mokes / Keydnap / USB attack
- 23. Apple still actively fights with vendors iOS is a heavily walled garden OSX is becoming a walled garden
- 33. The Apple fights back
- 37. iDroid
- 40. 2009 XProtect / File Quarantine 2011 Sandboxing 2012 Gatekeeper 2015 System Integrity Protection 2016 XProtect + Yara
- 42. Firewall OSX comes with one one but two firewalls Application level firewall (alf) Packet Filter (pf)
- 43. Little Snitch
- 44. Icefloor - open source GUI pf manager
- 45. Software installation Archives everywhere Application bundles DMG What magic bytes? FileVault encryption PKGs the self-executables of the OSX world Natively compressed in xar format
- 46. Code signing XNU Hybrid BSD POSIX interface Mandatory Access Control Framework Mach Microkernel developed at Carnegie Mellon For parallel computing Released in 1985 Huxley the Platapus
- 47. MachO Similar to ELF Biggest difference is native code-signing support Same magic bytes (0xCAFEBABE) as Java class files IPC ports Not network ports Unix ports but in kernel land Resource forks
- 50. Little Flocker
- 51. Boot - in the beginning UEFI FAT boot partition Firmware passwords Pystar and Rebel EFI Copyrighted bootloader Physical attacks Firewire DMA Evil USB kext - Kernel extensions
- 57. Thanks for attending! Mac malware feed: http://ow.ly/O1WM303qAkV Mac infosec homebrew tap: http://ow.ly/c1LZ303pKwa OSX Security Awesome: http://ow.ly/uWEj303pKuf These slides: http://ow.ly/DpNQ305KfPd
Editor's Notes
- #7: http://www.thesafemac.com/about-the-flashback-malware/ http://www.pcworld.com/article/253270/600_000_infected_macs_found_in_botnet.html
- #8: http://www.theatlantic.com/technology/archive/2012/06/its-official-apple-computers-are-no-longer-virus-free/258902/
- #9: https://www.wired.com/2012/06/mac_viruses/
- #12: http://www.pcadvisor.co.uk/how-to/security/do-apple-macs-need-antivirus-os-x-security-explained-3418367/
- #14: https://nakedsecurity.sophos.com/2011/10/03/mac-malware-history/ http://www.reedcorner.net/mmg-catalog/
- #16: http://www.infoworld.com/article/2607924/security/stop-sneaky-hackers-from-launching-dma-attacks.html
- #17: http://thehackernews.com/2016/09/cross-platform-malware.html http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ http://www.theregister.co.uk/2015/06/01/apple_suspend_bug_0day/ http://www.ehackingnews.com/2016/09/a-usb-device-can-steal-credentials-from.html
- #18: https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html
- #19: http://bgr.com/2015/10/21/mac-malware-increase-2015/
- #20: http://news.softpedia.com/news/business-confidence-in-mac-security-has-decreased-over-the-past-year-496723.shtml
- #21: https://www.cnet.com/news/halo-still-in-effect-apple-sees-ipads-as-gateway-to-macs/
- #22: http://www.reuters.com/article/uk-apple-security-idUSLNE74P01620110526
- #23: https://nakedsecurity.sophos.com/2011/05/18/malware-on-your-mac-dont-expect-applecare-to-help-you-remove-it/
- #25: http://www.kitguru.net/lifestyle/apple/matthew-wilson/apple-is-apparently-cracking-down-on-ios-anti-virus-apps/ https://www.certosoftware.com/why-arent-there-any-anti-spyware-apps-for-iphone/
- #26: https://www.cnet.com/news/apple-kills-app-that-could-tell-if-your-iphone-was-hacked/
- #28: http://www.forbes.com/sites/thomasbrewster/2016/07/19/apple-iphone-ios-9-vulnerabilities-like-stagefright/#525886283947 https://nakedsecurity.sophos.com/2016/08/05/apple-rushes-out-ios-update-shuts-out-jailbreakers/
- #29: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
- #30: http://www.theverge.com/2016/8/4/12380036/apple-bug-bounty-program-vulnerability-security
- #31: http://www.theregister.co.uk/2016/08/11/exodus_intelligence_500k_bounty/
- #32: https://www.wired.com/2016/09/top-shelf-iphone-hack-now-goes-1-5-million/
- #33: http://www.theregister.co.uk/2016/10/28/ios_bughunter_poc_floods_911/
- #35: http://www.usatoday.com/story/news/nation/2016/09/16/usa-today-lawsuit-fbi-iphone-hack-san-bernardino/90477540/ https://www.wired.com/2016/09/heres-fbi-hacked-san-bernardino-shooters-iphone/
- #36: https://www.jamf.com/blog/debate-over-ibm-confirms-that-macs-are-535-less-expensive-than-pcs/ https://9to5mac.com/2016/04/04/white-house-obama-iphone/
- #37: http://www.reuters.com/article/us-apple-hackers-idUSBRE91I10920130219
- #40: http://law.justia.com/cases/federal/appellate-courts/ca9/10-15113/10-15113-2011-09-28.html
- #41: https://paolozaino.wordpress.com/2015/08/04/how-to-run-your-applications-in-a-mac-os-x-sandbox-to-enhance-security/ https://github.com/VirusTotal/yara/pull/463
- #42: https://9to5mac.com/2016/02/09/sparkle-vulnerability-os-x/
- #43: https://support.apple.com/en-us/HT201642 http://krypted.com/mac-security/command-line-alf-on-mac-os-x/ https://pleiades.ucsc.edu/hyades/PF_on_Mac_OS_X
- #44: https://www.obdev.at/products/littlesnitch/index.html
- #45: http://www.hanynet.com/icefloor/ http://murusfirewall.com/
- #46: http://newosxbook.com/DMG.html https://www.davd.eu/posts/os-x-run-any-command-in-a-sandbox/ http://www.securitygeneration.com/security/mac-os-x-skype-0day-remote-code-execution-vulnerability/
- #47: https://www.blackhat.com/presentations/bh-usa-09/DAIZOVI/BHUSA09-Daizovi-AdvOSXRootkits-PAPER.pdf
- #49: https://objective-see.com/products/blockblock.html
- #50: http://applehelpwriter.com/2016/07/28/revealing-dropboxs-dirty-little-security-hack/
- #51: https://www.zdziarski.com/blog/?page_id=6171
- #53: https://objective-see.com/products/knockknock.html
- #54: https://www.peterborgapps.com/lingon/
- #55: http://yelp.github.io/osxcollector/
- #56: https://techcrunch.com/2016/10/28/apples-new-intel-driven-macbooks-have-a-secondary-arm-processor-that-runs-touch-id-and-security/ https://www.cnet.com/special-reports/jony-ive-talks-about-putting-the-apple-touch-on-the-macbook-pro/